blackmoon | 10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 18:50

Target

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe
Size

2.7MB
MD5

78f859499e7ee0089583258a0815c4ca
SHA1

5bb211d3902e4bbf7b516634c6f531beb8e704e6
SHA256

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799
SHA512

5a42e6445f36288c09631d02d62775aeb454a6a55e397ad667c33bd481fe2097d70b81a7b952f1b0a4309107f39f4e798f4d3e211c6d45a3f38805ccdac3df10
SSDEEP

49152:ROMNT+hOy1U8EkTYN/KXeqpomFsE01zdBST1Ws:EMNChj1U8MN/KXeOFs7OWs

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\TMVGHB.GKYJ	family_blackmoon

Executes dropped EXE 1 IoCs

Processes:

TMVGHB.GKYJ

pid process

2368 TMVGHB.GKYJ

Loads dropped DLL 4 IoCs

Processes:

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeTMVGHB.GKYJ

Drops file in System32 directory 2 IoCs

Processes:

TMVGHB.GKYJ

description ioc process

File created C:\Windows\SysWOW64\ESPI11.dll TMVGHB.GKYJ
File opened for modification C:\Windows\SysWOW64\ESPI11.dll TMVGHB.GKYJ

description	ioc	process
File created	C:\Windows\SysWOW64\ESPI11.dll	TMVGHB.GKYJ
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	TMVGHB.GKYJ

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

TMVGHB.GKYJ

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeTMVGHB.GKYJ

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exeTMVGHB.GKYJ

description	pid	process	target process
PID 856 wrote to memory of 2368	856	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	TMVGHB.GKYJ
PID 856 wrote to memory of 2368	856	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	TMVGHB.GKYJ
PID 856 wrote to memory of 2368	856	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	TMVGHB.GKYJ
PID 856 wrote to memory of 2368	856	10ae094ee043955d4c0996bb09f61a4fc7e91d843182b9139755d4258b164799.exe	TMVGHB.GKYJ
PID 2368 wrote to memory of 2696	2368	TMVGHB.GKYJ	netsh.exe
PID 2368 wrote to memory of 2696	2368	TMVGHB.GKYJ	netsh.exe
PID 2368 wrote to memory of 2696	2368	TMVGHB.GKYJ	netsh.exe
PID 2368 wrote to memory of 2696	2368	TMVGHB.GKYJ	netsh.exe

\Users\Admin\AppData\Local\Temp\ESPI.dll
Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
\Users\Admin\AppData\Local\Temp\TMVGHB.GKYJ
Filesize
2.7MB

MD5
9ee13da8d326b15464b2b4a8b5522e69

SHA1
bd567d67c3cef8aec31566469cba6dd931b2e63a

SHA256
7074285923f10b17ddb9b6765b95e59faa468c76bfeadb95c57745065922f021

SHA512
0267f4e0d35547fc070fb16bb84655b4f7fe72001b7011881dd8c4c21eddb55e7d9b2eb78551b4ac24506d20c0251c983a1c6a514e312b1d5afdddbf50ede883

Download Submit